Putting all your eggs in one basket with a password manager

Should you use a password manager? It really depends on how many different accounts you have. The trade-off you need to decide on is:

Should I put all my eggs in one basket, and protect them well?; or

Should I keep them separate, and protect each one with reasonable measures?

In the past, we’ve seen what can happen if a password manager becomes vulnerable. LastPass is a very popular password manager, which I happen to use (not for all of my passwords, but for most of them). For my banking and a few other important accounts, I go by memory. So, even if my password manager is hacked, I have some assurance that my most valuable information is not at risk. But that’s just a personal preference.

I have over a hundred accounts (many are for testing or for projects I’m working on). You may not have this many, but if you count up how many accounts you actually have, and think about the fact that you should really have a different password on each one, the idea of a password manager makes a lot of sense; since you’ll only need to remember one really good password.

But password managers do carry some risks that you should consider. I happen to believe these risks are countered by the value I get from the product.

LastPass was recently in the news because an individual named Sean Cassidy (not the guy who sang “Da Doo Ron Ron” in the 1970’s”) figured out a way to use a phishing attack to trick people into thinking they were logging into their LastPass account, and showed how a LastPass master password could be stolen. He exercised a practice called “Responsible Disclosure” by notifying LastPass management of the vulnerability he found in how users respond to phishing attacks. LastPass worked with Mr. Cassidy to identify ways to reduce the risk from this type of attack scenario.

Also, a year or so ago, LastPass servers were attacked by a hacker, and there was some evidence that some information may have been stolen. However the information that may have been stolen didn’t include any passwords or any seriously sensitive information about users. In both cases of potential risk to LastPass users, it helped that LastPass has a very robust architecture, which means they had several levels of protection in place.

So, I still use LastPass for most of my routine accounts, but that’s because I believe it has a good security architecture, and they are pretty good at Responsible Disclosure and reacting quickly to incidents with information for users, which makes everyone aware of any known risks. If this situation changes at any time, LastPass also offers an “export” feature that lets me migrate all of my passwords to another solution, if necessary.

There are many password managers to choose from on the market, and you may like one of them more than LastPass – perhaps based on some features you like. But you should look for objective reviews of the solution’s security architecture, to make sure it’s reasonably secure. For LastPass, there’s a good description of its basic security architecture starting at about 52:30 of this YouTube clip by Steve Gibson of the Security Now Podcast.

You should also look for evidence that the organization supplying or supporting the password manager will let you know when they become aware of any risks. So, are the benefits of your password management approach worth the risks? And do you know the risks?